3

I am trying to get the list of users who are having owner access for a subscription.

I tried checking for python azure sdk. But am not getting any api which does this functionality.

Subscription list api is available but it is not providing details of users who are having access to the particular subscription.

I tried the below code 

subscriptionClient = SubscriptionClient(credentials)
for subscription in subscriptionClient.subscriptions.list():
    print (subscription)

Any help would be appreciated

Marshall Kiruba
  • 43
  • 1
  • 6
  • Try this rest api:https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/roleassignments_list – Joy Wang Oct 16 '18 at 06:07

3 Answers3

2

Azure Python SDK

If you're looking to use the Azure Python SDK then you should use AuthorizationManagementClient class

You can try to get RoleAssignments for your subscription at the scope of subscription itself.

I work closely with C#, so don't have Python code handy, but will try to update back with Python code a little later.

UPDATE

Here's a sample code. I hope this gives you enough to proceed.

from azure.mgmt.authorization import AuthorizationManagementClient

authorizationClient = AuthorizationManagementClient(credentials, '<your subscription guid>')
roles = authorizationClient.role_assignments.list()
for role in roles:
print(role)

REST API

If you want to directly call the REST API from code, use the Microsoft.Authorization/roleAssignments REST API.

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview

{scope} will be subscriptions/<your subscriptionId> to fetch roleAssignments at the subscription level.

Here is an example request to this API and response.

To find all the users who have been explicitly assigned "Owner" role at the subscription level

Request:

GET https://management.azure.com/subscriptions/{my subscription GUID}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-01-01-preview

Response:

Notice That Role Definition Id in response is "8e3af657-a8ff-443c-a75c-2fe8c4bcb635". This corresponds to built-in Owner role.

{"value":[{"properties":{"roleDefinitionId":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635","principalId":"{some user GUID}","principalType":"User","scope":"/subscriptions/{my Subscription GUID}","createdOn":"2018-10-03T05:12:52.7213301Z","updatedOn":"2018-10-03T05:12:52.7213301Z","createdBy":"GUID","updatedBy":"GUID"},"id":"/subscriptions/{my Subscription GUID}/providers/Microsoft.Authorization/roleAssignments/83eee76b-4a0d-4f61-8c62-409501e95457","type":"Microsoft.Authorization/roleAssignments","name":"83eee76b-4a0d-4f61-8c62-409501e95457"}]}

Once you get the response, it will contain Role Definitions IDs instead of exact names. For all Built-in Roles, you can know which Role it is before hand by visiting this Microsoft documentation. E.g. Id for Owner role is "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32
1

this PowerShell command :

(Get-AzureRmRoleAssignment -RoleDefinitionId "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" -Scope "/subscriptions/<your azure sub ID>" | where {($_.ObjectType -EQ "user") -and ($_.Scope -EQ "/subscriptions/<your azure sub ID>") }  ) | select DisplayName,SignInName

will return all Azure AD users with subscription owner role.

I have tried to captured data packages about this ps command, and it called multiple rest APIs to finish this process. You can host this command on Azure App service webjobs, Azure function or Azure automation and explore a webhook to get the user list when you need it. Hope it helps.

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16
  • Thanks this is working. But when am trying to run this command in webapps it is throwing error like "Command not found". I tried if I can install azure powershell inside webapps by adding through extension. But azure powershell is not available in extensions. How can the command inside webapps. – Marshall Kiruba Oct 17 '18 at 08:53
  • Azure Webapps has an internal service called Azure webjobs , you can use it to run powershell scrips on schedule or by trigger . For details ,you may refer to : https://learn.microsoft.com/en-us/azure/app-service/web-sites-create-web-jobs – Stanley Gong Oct 17 '18 at 10:15
  • Thanks for your reply. But the issue is I cannot able to run azure powershell commands in webapps. This is the error am getting [10/19/2018 03:08:04 > 5198ab: ERR ] Connect-AzureRmAccount : The term 'Connect-AzureRmAccount' is not recognized I checked for webapp extension but am not getting any. Again thanks so much for your help. – Marshall Kiruba Oct 19 '18 at 03:30
  • Welcome !! I got the same error . Use Add-AzureRmAccount will solve this issue : ) – Stanley Gong Oct 19 '18 at 04:00
  • If you’re Microsoft partner, I find a free channel to solve azure queries: https://aka.ms/devchat. They support online chat and email. – Stanley Gong Oct 19 '18 at 05:33
0

Late but this could be helpful to someone else. Here is code in python to find the number of owners in subscription:

from azure.mgmt.authorization import AuthorizationManagementClient

authorizationClient = AuthorizationManagementClient(credentials, '<your 
subscription guid>')

def number_of_owners(client):
    results = []
    owners_list = []
    subscription_scope = '/subscriptions/<your subscription guid>'
    owner_role = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' #this is the ID for the owner role in Azure

    roles = client.role_assignments.list_for_scope(
        scope = subscription_scope,
        filter = 'atScope()'
    )        

    for role in roles:
        role_name_id = role.name
        role_assignment_details = client.role_assignments.get(
            scope = subscription_scope,
            role_assignment_name = role_name_id
        )
        role_ids = role_assignment_details.properties.role_definition_id
        if owner_role in role_ids:
            owner_role_list = role_ids.count(owner_role)
            print(owner_role_list)
colbydh
  • 1
  • 1